The Wannacry authors also want their Bitcoin Cash

ElevenPaths    27 March, 2018
The 12th of May 2017 was a day for many of us which we will not easily forget. Wannacry was one of those incidents which had a major impact upon public opinion. Taking advantage of the already famous EternalBlue vulnerability, the programme maliciously managed to encrypt the files of thousands of computers asking in exchange for a ransom of $300 of bitcoins. The question is, what happened to these ransoms paid by the victims?

The balance of the addresses
The three identified Bitcoin addresses managed to raise more than 51 bitcoins (available here, here and here). To date, more than half a million dollars have been exchanged. However, the design of the ransom collection system could be improved. Presenting the same address to different victims made it difficult for the attackers to determine which victim had made the payment. Taking into account that the Bitcoin transactions remain registered in a chain of blocks within Bitcoin, the victims could impersonate other victims who had paid by taking credit for a particular transaction.

In the case of Bitcoin, the recommendation for those who manage platforms where you can pay for goods or services in Bitcoins is to generate a unique payment address for each client who carries out a purchase.. In this way, it is convenient for the business to verify if a client has already carried out the payment within the chain of blocks. These recommendations are also applicable for the case of Wannacry: in spite of being extortion, the ideal model would have generated a different address for each user, which would have allowed the attacker to have a simple table in which to associate each billing address with a different decryption key.

Furthermore, this operation would have had another positive side effect for the attacker: the investigators wouldn´t have been able to generate more than a small subset of billing addresses (one for each detonation in the sample) and the task of measuring the total number of infections would be more complex. The options in order to achieve this would have been to track and try to analyse some known email addresses, once they would start to observe the movement of these accounts, if they ended up converging at some point. The reason behind why this wasn´t applied came to light shortly afterwards:one race condition in the process of the generation of the unique addresses for each victim prevented it from working well and ended up becoming one of the now famous three addresses.

Wannacry´s movements
Just days after they closed the 2017 edition of Blackhat USA y Defcon, on 3rd August they produced the first movements from the most monitored Bitcoin addresses: six different operations recorded in the Bitcoin blockchain in a period of just a few minutes (precisely at 03:06, 03:07, 03:13, 03:14, 03:14 and 03:25). Thus began the process of pursuing these addresses that would soon begin to blend into a succession of operations.

Primeros movimientos de Wannacry imagen
Figure 1. Wannacry´s first movements.

On the basis that in order for the three addresses to carry out an operation, the author or authors of the attack would have had to have signed the three addresses with the private corresponding keys and assign them to a particular node of the chain of blocks so that they could be added. From there, the author himself could generate a list of countless addresses under his control among which to perform these operations to confuse the researchers.

However, if we use tools such as Blockseer we we will be able to realize that in just five jumps, the money ends up associated with a market,, that has been operating as a crypto-currency exchange since 2013. From Hitbtc you can exchange these Bitcoins for many other currencies such as Ethereum, Etherum Classic, Litecoin, Lisk… or others that have been designed to protect the anonymity of the user, such as Monero, Dash or Zcash. 

Visualización de movimientos en Blockseer imagen
Figure 2. A visualisation of Blockseer’s movements

On some of these platforms, the general registration process is trivial and does not require the provision of additional information, unless you want to proceed to buying and selling with conventional currencies, as each user guide explains. In any case, for many of the researchers, this would be a good starting point because this platform would indeed have information of the operations involving an account very close to the authors, even though they knew that those involved might not be these ones. 

Not only Bitcoins: the consequences of the forks
You have seen the Bitcoin transactions carried out on the 3rd August; however, a few days before, a very important event took place for Bitcoin’s ecosystem: the hard fork of Bitcoin Cash. Due to the disproportionate increase of the transaction fees (a consequence of the increase in the popularity of Bitcoin and the limitation of the of the 1 MB block size); one part of the community proposed the need to increase the offer of available space in order to register operations every 10 minutes, which means, increasing the maximum size of each Bitcoin block. 

Dashboard del exchange HitBTC imagen
Figure 3. The HitBTC Exchange dashboard

In order to materialise this proposal, the drivers of Bitcoin cash planted the possibility that the network miners would come to accept the blocks with a maximum size of 8MB from the 1st of August; with the hope that the increase in the space offered would provoke a reduction in price in which the users were paying in order to include their transactions in a block. Which meant more space offered for the same block space demand, meaning less commissions. 

tamaño medio por bloque imagen
Figure 4. The average block size. 

However, the proposal brought with it various questions that worried many. On one side, those blocks added in one day with the conventional protocol could increase by about 144 MB per day (at a rate of 6 MB per hour). The increasingly heavy Bitocin blockchain increases by the size of 8MB per block (48 MB an hour), which could cause a daily increase of 1152 MB daily. These and other questions of an ideological nature, resulted in that the proposal was not accepted by the whole network, but only by a small part of it, which led to two different block chains with a common base: the one of the conventional Bitcoin which operated under the old regulations of 1MB per block and the one of Bitcoin Cash, which permitted the users to spend their Bitcoins, including those in the blocks of up to 8MB. Thus, those who would have bitcoins in their account on the 1st August (as was the case of the Wannacry authors) could spend them in two different blockchains under different rules. Today, the value of a Bitcoin and that of Bitcoin Cash is very different ($8100 for one Bitcoin unit and $912 for a unit of Bitcoin Cash), but the amount for this crypto-currency continues being relevant.  

Forks de la cadena de bloques de Bitcoin imagen
Figure 5. Forks from the Bitcoin block chain. 

Therefore, what happened with Wannacry’s Bitcoin cash? It is not clear if it was due to ignorance or a lack of interest, but it is certain that the associated Bitcoin Cash to the accounts of Wannacry remained in them until various months after the 7th November 2017. On this date, the authors carried out a unique transaction which collected the entire balance of Bitcoin Cash from all three addresses into a single address, specifically in 122TBuG4jWjsfSABdNu4zNrBaREEk2a8od, a priori in order to simplify the management.

Erasing the trace of the operations
After the movements in August, some of the exchange platforms such as ShapeSift y Changelly already expressed that they were collaborating with the authorities, after identifying that their platforms had been used for the exchange of the crypto-currency for Monero. But, what options could someone have who would want to blur the trail of the operations into blockchains such as Bitcoin or Bitcoin Cash? To do this there are so-called coin mixers. These are platforms that, in exchange for a commission, automatically mix the balance coming from several accounts to make it difficult for an observer to see where the money is actually coming from. 

Given that this type of task can also be programmed manually, ElevenPaths is aware of the existence of the following different mixers available to anyone who offers this type of service for Bitcoin Cash, such as or (others exist such as or, but they were created after the first movement of the money in Bitcoin Cash).  

Funcionalidad de un mixer imagen
Figure 6. The functionality of a mixer. 

In the case of, the user must provide an address where you expect to receive the money to be hidden and the number of blocks where you expect to receive it. Because of the way works, the user is asked to send the amount of the trace he or she wants to blur to an address under the control of the platform, along with a small amount to cover the costs of the network and to pay for the service itself.

Funcionamiento de imagen
Figure 7. The function of

After the agreed amount of time has elapsed, the applicant will receive the balance in the fixed address set as part of the transaction, in which also will involve other implicated linked addresses to the platform and potentially, of other users. This is the process in which assists to blur the source of the address of the transactions; since the balance received at the destination address does not come from the original service request transaction (this balance, in our case, remained under the control of the platform at the address 1NgUGX9F9zU4QtU9svqCd4gyyFvKhGyKBj). 

Operación de imagen
Figure 9. Bitcoin Cash mixer platform.

However, it must be taken into account that this facilitated address from had already received 125 previous operations during the test. This is relevant given that in the event that we have visibility in the future of an address that operates at some point with this particular one, we will be able to know with certainty that it has used this mixing service.

Also, it is necessary to emphasize the great amount of inputs that appear in the payment that we receive in our destination account.. This operation would allow us to identify the addresses that the service uses to mix the transactions; taking into account that in order to utilize the inputs that appear in it, the mixer will have had to sign the transactions with the corresponding private keys. The function of is something different. In its case, it offers the possibility of carrying out this task for various cryptocurrencies and not only for Bitcoin Cash. It gives the possibility of configuring the various return addresses and different percentages in such a way that monitoring the operations is considerably complicated, since it will not be as effective if it is analyzed based on the transferred balance. 

Plataforma de mixer de Bitcoin Cash imagen
Figure 9. Bitcoin Cash mixer platform. 

Unlike Coinmix, in the case of the addresses where the user has to send the money are unique for each concealed transaction. In this way a team of analysts cannot utilize the block chains to monitor the utilized addresses in between and identify the possible users. In fact, in the case of this platform, the implicated addresses are only utilized twice: once to receive money and the other time to transfer it.

Transacción de Privcoin imagen.
Figure 10. Details of the Privcoin transaction. 

What is the current balance of the Wannacry accounts?
In spite of the operations described so far, the outgoing transactions imply that there are not too many accounts. In the case of Bitcoin, for example, the addresses have continued receiving payments after most of the account balance has left. Furthermore, due to the fork of Bitcoin Cash, another variable must be added, the fork of Bitcoin Gold that took place in the last quarter of the year. This new fork is claimed to be designed to democratize the mining process and was based upon the Bitcoin blockchains.
In fact, the Bitcoin accounts have continued receiving operations after the August withdrawals. For this reason, 1,89111948 bitcoins (0,23814854, 1,38351522 y 0,26945572) are still outstanding, slightly more than $15200 of which must total to $84 corresponding to the 1,53575699 Bitcoin Gold which there are also in their accounts. It seems reasonable to think that the question is not whether there will be more movements, but when they will take place. 
Félix Brezo
ElevenPaths Innovation team and Laboratory
Yaiza Rubio
ElevenPaths Innovation team and Laboratory

Leave a Reply

Your email address will not be published.